Good news for Utahns: The enactment of the Consumer Privacy Act in Utah last March has landed the state in second place, alongside Virginia, for online privacy, according to a recent study released by Comparitech. Utah became the first state to lawfully protect the electronic information that individuals entrust to third parties. While the law’s protections mark significant and groundbreaking progress, Utah has a way to go if it wants to catch up to California as shown in Comparitech’s data.

Each state was evaluated on 25 key criteria, which was then turned into a percentage. Utah scored 52% compared with California’s 80%. Close on the heels of Utah and Virginia were Delaware at 46% and Illinois at 40%. Near the bottom of the list was our neighbor Idaho at 6%. The method used was a simple one: 1 point for each type of law existing across the U.S. for a total of 25 possible points. If a state’s law provided partial protection, it scored half a point.

Arguably, some types of laws are more important than others. For instance, a law protecting e-reader privacy is less important than one that protects privacy rights and enforces marketing restrictions for minors, both of which California has and Utah does not. Let’s take a look into what the Consumer Privacy Act provides for Utah citizens and then we’ll turn to additional privacy protections that could be addressed here in our state.

The Consumer Privacy Act will come into effect on Dec. 31, 2023, which gives businesses time to comply with the new law. Utah’s law has been characterized as more “business friendly” than similar laws in other states. The law ensures consumers are aware of the data companies are collecting about them, that they can opt out of third-party data sharing and they can request that their data is deleted. The act also protects geolocation data, making Utah one of just five states to have this specific provision within its data protection laws.

The act also includes data disposal laws for governments and companies, social media privacy laws for employers and educational institutions, and laws to govern the use of artificial intelligence and genetic data, one of only eight in the country — none of which are California. Finally, it requires law enforcement to obtain a warrant with probable cause to access any electronic data held by a third party with a few exceptions.

But what don’t we have? The trend is to refine data security laws to apply to specific sectors such as data brokers, internet service providers (ISPs) and the Internet of Things (IoT). These are areas that legislators could investigate to strengthen online privacy protections for Utahns.

The IoT sector is growing dramatically. Research firm IoT Analytics predicts the number of active IoT devices will grow 21.5 billion in 2025, more than double what it was in 2019. IoT includes any device that is connected to the internet and sends data to other devices or people. If you have an Amazon Echo at home or your car sends driving data to your insurance company, you are part of the IoT. While there is federal legislation that regulates manufacturers that produce such devices, it applies only to government contractors. California and Oregon are the only states with wider protections.

These state laws are targeted at manufacturers that must obtain a certificate of compliance to sell goods in these states. To comply, manufacturers must provide “reasonable cybersecurity measures,” including being able to protect the device from any unauthorized attempts to access or modify information from within it. Critics noted the California bill does not specify penalties for noncompliance.

Oregon benefitted by writing its legislation after California and added two important safeguards. The language further defines devices as those “used primarily for personal, family, or household purposes.” The state was very clear on penalties. A violation will be considered “an unlawful trade practice under Oregon’s consumer protection law and may result in an enforcement action by the Oregon regulator, with penalties including investigative actions, injunctive mandates and, for willful violations, fines of up to $25,000 per violation.”

Utah is heading in the right direction, setting an example for other states to follow.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness, and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.

Newsletter